Your screen is flashing red. A loud voice says your computer is infected. A countdown timer warns you have 3 minutes before your data is "destroyed." Take a breath. This is not a real virus. It's a webpage designed to scare you into doing something dangerous. Here's how to get rid of it and make sure it doesn't come back.
A fake virus popup is a webpage or browser notification that impersonates a security warning. It might look like a Windows Defender alert, a macOS system dialog, or a warning from "Google Security." But it's none of those things. It's just HTML, CSS, and JavaScript running inside your browser tab.
These scam pages cannot scan your computer. They cannot detect viruses. They have no access to your files, your operating system, or your installed software. Everything they "find" is hardcoded into the page before you even visit it. The "5 viruses detected" message would show up even if you were browsing from a brand-new computer with nothing installed.
The goal is simple: panic you into calling a fake support number, downloading malware disguised as antivirus software, or paying for a "cleanup" that does nothing. These are textbook phishing attacks that rely on fear instead of curiosity.
Key point: If a virus warning appears inside your browser, it is almost certainly fake. Real antivirus software (Windows Defender, Malwarebytes, etc.) generates system-level alerts outside the browser, not web pages with countdown timers and phone numbers.
Understanding the mechanics helps you recognize them instantly. Scammers use a few standard tricks:
The simplest version uses alert() or confirm() dialogs in a loop. Every time you click OK or close the dialog, another one appears immediately. This makes it feel like the browser is "locked" and you can't escape. In reality, you can break out by force-closing the tab or the entire browser.
More sophisticated scams use the Fullscreen API to take over your entire screen, hiding the browser's address bar, tabs, and close button. They then render a fake desktop environment with fake warning dialogs on top. This is extremely convincing to people who aren't expecting it. The escape key or F11 will exit full-screen mode on most browsers.
Some scam pages load inside hidden iframes on otherwise legitimate-looking sites. You click a link to read an article and silently get redirected through a chain of ad networks until you land on the fake virus page. The original site may not even know it's happening — its ad slot was simply bought by a bad actor.
This is the most persistent variant. A website asks for notification permission (often disguised as a CAPTCHA or "click Allow to continue" prompt). Once granted, that site can push popup-style messages to your screen at any time — even when the browser is closed. These notifications mimic virus alerts and link back to the scam page.
Never call a phone number displayed in a browser virus warning. Legitimate companies like Microsoft, Apple, and Google will never ask you to call a support number from a browser popup. These numbers connect to scam call centers that will try to gain remote access to your computer.
If you're currently staring at one of these popups, follow these steps in order. None of them require downloading anything.
Try pressing Ctrl+W (Windows/Linux) or Cmd+W (Mac) to close the current tab. If the page is blocking that with alert dialogs, close the entire browser with Alt+F4 (Windows) or Cmd+Q (Mac).
If that still doesn't work, open Task Manager (Ctrl+Shift+Esc on Windows, or Activity Monitor on Mac), find your browser in the list, and end the process. When you reopen the browser, don't click "Restore tabs" — that will bring the scam page right back.
This is the step most people skip, and it's why the popups keep coming back. Go to your browser's settings and review which sites have notification permission:
Remove any sites you don't recognize. If you're not sure, remove all of them. Legitimate sites will simply ask again next time you visit.
A rogue extension can redirect you to scam pages every time you open a new tab or click a link. Go to your browser's extension page (chrome://extensions in Chrome, about:addons in Firefox) and review the list. Remove anything you don't remember installing or anything that asks for permissions like "Read and change all your data on all websites."
Pay special attention to extensions that were installed recently or that have generic names like "Safe Browse" or "Video Downloader Pro." These are common disguises for adware.
Some scam pages store data in cookies or localStorage to track your visits and trigger the popup again later. Clearing your browsing data removes this. In most browsers, press Ctrl+Shift+Delete to open the clear data dialog. Select "Cookies and other site data" and "Cached images and files" for the past week, then clear.
If fake popups keep reappearing after the steps above, your browser's homepage, default search engine, or new tab page may have been changed by a rogue extension. Reset to defaults:
This preserves your bookmarks and saved passwords but removes extensions, custom settings, and pinned tabs.
Removing a single popup is a quick fix. Preventing them from ever appearing requires blocking the tactics they use. Here's what works:
Be skeptical of notification permission requests. If a website asks to send you notifications and you don't have a clear reason to allow it, click Block. Most notification permission prompts on random websites are either marketing spam or scam infrastructure. Your browser's default should be to deny these requests.
Don't trust ads on unfamiliar sites. The most common path to a fake virus popup is through a malicious ad on an otherwise normal website. An ad blocker reduces this risk significantly. uBlock Origin is a solid choice for general ad blocking.
Use real-time page analysis. PhishClean detects the specific techniques fake virus pages use before they can take over your screen. When a page attempts to create a suspicious full-screen overlay, load a hidden iframe, or trigger rapid alert dialogs, PhishClean flags it and warns you. This happens locally in your browser, in real time, without sending your browsing data anywhere.
PhishClean's approach: Blocklists of known scam URLs go stale within hours. PhishClean takes a different approach: it looks at what a page is actually doing — suspicious overlays, hidden iframes, HTTPS downgrades, form behavior that doesn't add up. A brand-new scam page gets caught even on its first day online because the technique is the signal, not the URL.
Keep your browser up to date. Browser vendors regularly patch the APIs that scam pages exploit. An outdated browser is more vulnerable to full-screen takeovers and alert dialog loops. Chrome, Firefox, and Edge all auto-update — just make sure you restart your browser periodically so pending updates get applied.
If you only saw the popup and closed it, you're fine. No damage was done. But if you took action — clicked a download button, called the phone number, gave someone remote access to your computer, or entered payment information — you need to act quickly.
For a more detailed walkthrough, see our guide on what to do if you clicked a phishing link.
Can a fake virus popup actually infect my computer?
The popup itself is just a webpage — it cannot install malware on its own. The danger comes from what you do next. If you click a button inside the popup, call the phone number it displays, or download the "antivirus" it recommends, you could install actual malware or hand remote access to a scammer. The safest response is to close the tab without interacting with anything on the page.
Why do I keep getting fake virus popups even after closing them?
The most common cause is browser notification permissions. At some point, a website asked to send you notifications and you clicked Allow. Now that site can push popup-style messages to your screen anytime, even when the browser is closed. Go to your browser's notification settings and remove any sites you don't recognize. Also check your installed extensions — a rogue extension can redirect you to scam pages repeatedly.
How can I tell the difference between a real virus warning and a fake one?
Real antivirus warnings come from software installed on your computer (like Windows Defender or Malwarebytes) — they appear as system-level notifications, not inside a browser tab. Fake virus warnings appear as web pages with flashy colors, countdown timers, and alarming language like "Your PC is infected with 5 viruses!" They often include a phone number to call or a download button. If a virus warning is inside your browser, it is almost certainly fake.
PhishClean catches suspicious overlays, hidden iframes, and scam page tactics before they take over your screen. Free to install — core protection included.
Install PhishCleanIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.